The RISKS Digest
Volume 32 Issue 03

Wednesday, 24th June 2020

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Vehicle Attacks Rise As Extremists Target Protesters
npr.org
Chrome extensions with 33 million downloads slurped sensitive user data
Ars Technica
Millions of documents from >200 US police agencies published in BlueLeaks trove
Ars Technica
Wrongfully Accused by an Algorithm
NYTimes
If T-Mobile's giant outage affected you, now's your chance to tell the FCC
Ars Technica
This sneaky malware goes to unusual lengths to cover its tracks
ZDNet
Masked arsonist might've gotten away with it if she hadn't left Etsy review
Jon Brodkin
Crooks abuse Google Analytics to conceal theft of payment card data
Ars Technica
Bot mafias have wreaked havoc in World of Warcraft Classic
WiReD
The Pentagon's Bottomless Money Pit
RollingStone
Testing, testing, testing
Rob Slade
Coronavirus misinformation, and how scientists can help to fight it
Dave Farber
Wirecard, a Payments Firm, Is Rocked by a Report of Missing $2B
NYTimes
Social Media Giants Support Racial Justice. Their Products Undermine It.
NYTimes
Square, Jack Dorsey's Pay Service, Is Withholding Money Merchants Say They Need
NYTimes
Many Medical Decision Tools Disadvantage Black Patients
????
Why Obsessive K-Pop Fans Are Turning Toward Political Activism
NYTimes
Re: TikTok Teens and K-Pop Fans Say They Sank Trump Rally
William Bader
Re: Silicon Valley Can't Be Neutral
John Levine
Info on RISKS (comp.risks)

Vehicle Attacks Rise As Extremists Target Protesters (npr.org)

Richard Stein <rmstein@ieee.org>
Mon, 22 Jun 2020 10:16:32 +0800
https://www.npr.org/2020/06/21/880963592/vehicle-attacks-rise-as-extremists-target-protesters

That a kill switch cannot be prophylacticly applied to all non-emergency
vehicles in the vicinity of a protest exposes pedestrian marchers to heinous
and violent reprisals. A localized kill switch won't halt a '63 Chevy
Impala.

Kill switch vulnerabilities have appeared repeatedly in comp.risks:

https://catless.ncl.ac.uk/Risks/27/11#subj3.1
https://catless.ncl.ac.uk/Risks/27/84#subj10.1
https://catless.ncl.ac.uk/Risks/28/24#subj12.1
https://catless.ncl.ac.uk/Risks/28/25#subj5.1
https://catless.ncl.ac.uk/Risks/30/29#subj4.1

In https://catless.ncl.ac.uk/Risks/28/25#subj5.1, Jonathan Zittrain
<zittrain@law.harvard.edu> states:

  "I know I've long inveighed against vendor (and, by proxy, government)
  control over consumer technology, and I still think that's a central
  threat to both open code and free speech. But all of that
  otherwise-worrisome tech applied to weapons seems to invert the equities."

Given that kill switches are not readily viable solutions: Laying traffic
spikes across intersections and at start/end points traversed by protesters
might suppress vehicle ramming incidents.

Public safety offices require advanced notification to deploy traffic spikes
given a march route and duration estimate. Protest planning forbearance
reduces flash-mob spontaneity, but can enhance pedestrian safety that
appears absent today.


Chrome extensions with 33 million downloads slurped sensitive user data (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 18:49:30 -0400
https://arstechnica.com/information-technology/2020/06/chrome-extensions-with-33-million-downloads-slurped-sensitive-user-data/

The extensions, which Google removed only after being privately notified of
them, actively siphoned data such as screenshots, contents in device
clipboards, browser cookies used to log in to websites, and keystrokes such
as passwords, researchers from security firm Awake told me. Many of the
extensions were modular, meaning once installed, they updated themselves
with executable files, which in many cases were specific to the operating
system they ran on. Awake provided additional details in this report.

https://cdn2.hubspot.net/hubfs/3455675/wp-the-internets-new-arms-dealers-malicious-domain-registrars.pdf


Millions of documents from >200 US police agencies published in BlueLeaks trove (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 18:34:10 -0400
Document dump comes almost 4 weeks after murder by police of George Floyd.

https://arstechnica.com/tech-policy/2020/06/blueleaks-airs-private-data-from-more-than-200-us-police-agencies/


Wrongfully Accused by an Algorithm (NYTimes)

Monty Solomon <monty@roscom.com>
Wed, 24 Jun 2020 14:49:41 -0400
In what may be the first known case of its kind, a faulty facial recognition
match led to a Michigan man's arrest for a crime he did not commit.

https://www.nytimes.com/2020/06/24/technology/facial-recognition-arrest.html


If T-Mobile's giant outage affected you, now's your chance to tell the FCC (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 18:32:41 -0400
FCC asks public to describe experiences during last week's 13-hour outage.

https://arstechnica.com/tech-policy/2020/06/if-t-mobiles-giant-outage-affected-you-nows-your-chance-to-tell-the-fcc/


This sneaky malware goes to unusual lengths to cover its tracks (ZDNet)

geoff goodfellow <geoff@iconia.com>
Wed, 24 Jun 2020 14:20:40 -1000
*Glupteba creates a backdoor into infected Windows systems - and researchers
think it'll be offered to cyber criminals as an easy means of distributing
other malware.*

A malware campaign which creates a backdoor providing full access to
compromised Windows PC, while adding them to a growing botnet, has developed
some unusual measures for staying undetected.

Glupteba first emerged in 2018 and started by gradually dropping more
components into place on infected machines in its bid to create a backdoor
to the system.

The malware is continuously in development and in the last few months it
appears to have been upgraded with new techniques and tactics to coincide
with a new campaign which has been detailed by cybersecurity researchers at
Sophos.
<https://www.zdnet.com/article/what-is-malware-everything-you-need-to-know-about-viruses-trojans-and-malicious-software/>

The paper <https://news.sophos.com/en-us/?p=67447> describes Glupteba as
"highly self-defending malware" with the cyber criminal group behind it
paying special attention to "enhancing features that enable the malware to
evade detection".

However, its method of distribution is relatively simple: it's bundled in
pirated software, including cracked versions of commercial applications, as
well as illegal video game downloads. The idea is simply to get as many
users to download compromised applications which contain the Glupteba
payload as possible.

To ensure the best possible chance of a successful compromise, the malware
is gradually dropped, bit-by-bit onto the system to avoid detection by any
anti-virus software the user may have installed. The malware also uses the
EternalBlue SMB vulnerability to help it secretly spread across networks.
<https://www.zdnet.com/article/why-the-fixed-windows-eternalblue-exploit-wont-die/>

But that isn't where the concealment and self-defence ends, because even
after installation Glupteba goes out of its way to stay undetected. [...]
https://www.zdnet.com/article/this-sneaky-malware-goes-to-unusual-lengths-to-cover-its-tracks/


Masked arsonist might've gotten away with it if she hadn't left Etsy review (Jon Brodkin)

Jim Reisert AD1C <jjreisert@alum.mit.edu>
Sun, 21 Jun 2020 17:00:58 -0600
Jon Brodkin, Ars Technica, 18 Jun 2020
Woman who burned two police cars IDed by tattoo and Etsy review of her
T-shirt.

  To some extent, every Internet user leaves a digital trail. So when a
  masked arsonist was seen on video setting fire to a police car on the day
  of a recent protest in Philadelphia, the fact that her face was hidden
  didn't prevent a Federal Bureau of Investigation agent from tracking down
  the suspect. The keys ended up being a tattoo and an Etsy review the
  alleged arsonist had left for a T-shirt she was wearing at the scene of
  the crime, according to the FBI.

https://arstechnica.com/tech-policy/2020/06/masked-arsonist-mightve-gotten-away-with-it-if-she-hadnt-left-etsy-review/


Crooks abuse Google Analytics to conceal theft of payment card data (Ars Technica)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 18:37:40 -0400
Ecommerce site's blind trust makes the service a perfect place to dump data.

https://arstechnica.com/information-technology/2020/06/google-analytics-trick-allows-crooks-to-hide-card-skimming/


Bot mafias have wreaked havoc in World of Warcraft Classic (WiReD)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 18:39:21 -0400
Blizzard has suspended or closed over 74,000 accounts in the last month.

https://www.wired.com/story/world-of-warcraft-classic-russian-bots/


The Pentagon's Bottomless Money Pit (RollingStone)

<bmeacham01@earthlink.net>
Mon, 22 Jun 2020 15:32:39 -0500
When the Defense Department flunked its first-ever fiscal review, one of our
government's greatest mysteries was exposed: Where does the DoD's $700
billion annual budget go?

Contains numerous mentions of huge IT project failures.

https://www.rollingstone.com/politics/politics-features/pentagon-budget-myst
ery-807276/

Just over 50 years ago, Dwight Eisenhower gave his famous farewell address
warning of the power of the "military-industrial complex." The former war
commander bemoaned the creation of a "permanent armaments industry of vast
proportions," and said the "potential for the disastrous rise of misplaced
power exists and will persist."

Eisenhower's warning is celebrated by the left as a caution against the
overweening political power of war-makers, but as we're now seeing, it was
predictive also as a fiscal conservative's nightmare vision of the future.
The military has become an unstoppable mechanism for hoovering up taxpayer
dollars and deploying them in the most inefficient manner possible.


Testing, testing, testing

Rob Slade <rmslade@shaw.ca>
Mon, 22 Jun 2020 11:24:04 -0700
Recently, a certain national leader has directed that testing for the
SARS-CoV-2 virus be "slowed" so that the numbers of new cases of the disease
will be reduced.  This is, of course, flatly ridiculous.  Testing does not
cause problems, it just reveals existing problems.  And the lack of testing
doesn't prevent problems, it only blinds you to the scope of the problem.  I
have told my "testing" story before ...

Oh, well, what the hey:

I am reminded of a situation where sales and marketing was supposed to carry
out virus scans before they installed our product. They had previously been
using an inferior product, and I mandated that they using a more accurate
product.  At one point a machine was brought in as a problem. First step in
my process was to scan the machine, and, sure enough, it was infected.

"Did you scan it?"

"Yes."

"Did you use the right scanner?"

"Well, no, we used the old one."

"Why did you use the old scanner, when I've specified that you have to use
the new one?"

"Well, when we use the one you told us to, it finds viruses ..."


Coronavirus misinformation, and how scientists can help to fight it

Dave Farber <farber@gmail.com>
Tue, 23 Jun 2020 10:29:33 +0900
https://www.nature.com/articles/d41586-020-01834-3


Wirecard, a Payments Firm, Is Rocked by a Report of Missing $2B (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 08:10:03 -0400
The German company's share price has plunged 80 percent, and its longtime
chief executive has resigned.

https://www.nytimes.com/2020/06/19/business/wirecard-scandal.html


Social Media Giants Support Racial Justice. Their Products Undermine It. (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 08:13:18 -0400
Shows of support from Facebook, Twitter and YouTube don't address the way those platforms have been weaponized by racists and partisan provocateurs.

https://www.nytimes.com/2020/06/19/technology/facebook-youtube-twitter-black-lives-matter.html


Square, Jack Dorsey's Pay Service, Is Withholding Money Merchants Say They Need (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 09:16:55 -0400
Small businesses say the Twitter chief's other company is holding on to 30 percent of their customers' payments during the pandemic.

https://www.nytimes.com/2020/06/23/technology/square-jack-dorsey-pandemic-withholding.html


Many Medical Decision Tools Disadvantage Black Patients (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 09:22:30 -0400
Doctors look to these digital calculators to make treatment decisions, but
they can end up denying black patients access to certain specialists, drugs
and transplants.

https://www.nytimes.com/2020/06/17/health/many-medical-decision-tools-disadvantage-black-patients.html


Why Obsessive K-Pop Fans Are Turning Toward Political Activism (NYTimes)

Monty Solomon <monty@roscom.com>
Tue, 23 Jun 2020 07:47:12 -0400
After claiming some credit for the fizzling of President Trump's rally in
Oklahoma, the online armies of Korean pop music listeners are feeling
prepared and empowered.

https://www.nytimes.com/2020/06/22/arts/music/k-pop-fans-trump-politics.html


Re: TikTok Teens and K-Pop Fans Say They Sank Trump Rally (PGN comment in RISKS-32.02)

William Bader <william.bader@gmail.com>
Sun, 21 Jun 2020 22:21:24 +0100
> The title Monty sent me is the one online, which says `Stans' instead of
> `Fans'.

"A crazed and or obsessed fan. The term comes from the song Stan by eminem.
The term Stan is used to describe a fan who goes to great lengths to obsess
over a celebrity." https://www.urbandictionary.com/define.php?term=Stan

  [Thanks to at least a dozen readers for helping my education.  I stans
  corrected.  But I remember Stan Laurel and Oliver Hardy, whom all but the
  oldest RISKS readers probably don't.  PGN]


Re: Silicon Valley Can't Be Neutral (Via Dave Farber)

John Levine <johnl@iecc.com>
June 24, 2020 6:22:20 JST
In article <566E5F5C-2B19-4E1E-AF1D-0F1194EDC43B@keio.jp> you write:

> Silicon Valley Can't Be Neutral in the U.S.-China Cold War --
> https://foreignpolicy.com/2020/06/22/zoom-china-us-cold-war-unsafe

> In other words, Zoom is rolling out a “one-company, two-systems model'' --
> participants in China would be subject to censorship, but those outside of
> China would not.

I agree this is pretty creepy, but how is this fundamentally different from
the way that EU laws like right to be forgotten make search engines results
in Europe omit stuff that is included other places?

If you're going to operate in a country at all, you have to follow the
country's rules. I expect I would have a different answer to whether I'd
operate in China.

Please report problems with the web pages to the maintainer

x
Top